update v2.29 based on the containerd feature (#2044)

buraksekili · web-flow · commit 0f43e85dfd69 · 2025-12-08T09:46:18.000+01:00
Signed-off-by: Burak Sekili &lt;32663655+buraksekili@users.noreply.github.com&gt;
diff --git a/content/kubermatic/v2.29/tutorials-howtos/kkp-configuration/registry-mirrors/_index.en.md b/content/kubermatic/v2.29/tutorials-howtos/kkp-configuration/registry-mirrors/_index.en.md
@@ -5,16 +5,22 @@ weight = 8
 
 +++
 
-## docker.io Pull Rate Limitations
+## Overview
 
-`docker.io` registry introduced pretty low rate limits for unauthenticated
-requests. To ensure uninterrupted workloads it's possible to configure the
-`Seed` in a way that docker.io registry will be used through the caching proxy.
+Registry mirrors allow you to configure mirror endpoints for container registries to improve image pull performance, avoid rate limits, and increase reliability through fallback mirrors.
 
-### Configuring Public Pull-through Caching Proxy
+Container registry configuration can be applied at two levels:
 
-Google has launched [caching public images proxy mirror.gcr.io](https://cloud.google.com/artifact-registry/docs/pull-cached-dockerhub-images).
-Let's configure KKP to use it.
+- **Datacenter Level** (via Seed `NodeSettings`): Default settings for all clusters in a datacenter
+- **Cluster Level** (via Cluster `ContainerRuntimeOpts`): Cluster-specific overrides
+
+## Datacenter-Level Configuration
+
+Configure registry mirrors at the datacenter level to provide defaults for all user clusters.
+
+### Example: Configuring docker.io Mirror
+
+`docker.io` registry has rate limits for unauthenticated requests. You can configure a caching proxy like [Google's mirror.gcr.io](https://cloud.google.com/artifact-registry/docs/pull-cached-dockerhub-images):
 
 ```yaml
 apiVersion: kubermatic.k8c.io/v1
@@ -37,6 +43,63 @@ spec:
                 - mirror.gcr.io
 ```
 
+### Example: Multiple Mirrors for High Availability
+
+Configure multiple mirrors per registry for automatic fallback:
+
+```yaml
+apiVersion: kubermatic.k8c.io/v1
+kind: Seed
+metadata:
+  name: <<exampleseed>>
+  namespace: kubermatic
+spec:
+  datacenters:
+    dc1:
+      node:
+        containerdRegistryMirrors:
+          registries:
+            docker.io:
+              mirrors:
+                - https://mirror1.company.com
+                - https://mirror2.company.com
+                - mirror.gcr.io
+            quay.io:
+              mirrors:
+                - https://quay-mirror.company.com
+```
+
+When configured this way, containerd attempts mirrors in order and falls back to the next if one fails, ensuring high availability.
+
+## Cluster-Level Configuration
+
+Override datacenter defaults for specific clusters using `ContainerRuntimeOpts`:
+
+```yaml
+apiVersion: kubermatic.k8c.io/v1
+kind: Cluster
+metadata:
+  name: my-cluster
+spec:
+  containerRuntimeOpts:
+    containerdRegistryMirrors:
+      registries:
+        docker.io:
+          mirrors:
+            - https://cluster-specific-mirror.company.com
+            - mirror.gcr.io
+```
+
+Cluster-level configuration completely overrides datacenter-level settings for that cluster (not merged).
+
+For other container runtime settings including:
+- Insecure registries
+- Registry mirrors
+- Custom pause container images
+- Non-root device ownership
+- Legacy registry mirror format
+
+
 See more for the [full example of Seed][seed-example] with comments and all possible
 options.
 
